// This is mozilla/security/manager/ssl/src/md4.c, CVS rev. 1.1, with trivial
// changes to port it to our source tree.
//
// WARNING: MD4 is cryptographically weak.  Do not use MD4 except in NTLM
// authentication.

/* vim:set ts=2 sw=2 et cindent: */
/* ***** BEGIN LICENSE BLOCK *****
 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
 *
 * The contents of this file are subject to the Mozilla Public License Version
 * 1.1 (the "License"); you may not use this file except in compliance with
 * the License. You may obtain a copy of the License at
 * http://www.mozilla.org/MPL/
 *
 * Software distributed under the License is distributed on an "AS IS" basis,
 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
 * for the specific language governing rights and limitations under the
 * License.
 *
 * The Original Code is Mozilla.
 *
 * The Initial Developer of the Original Code is IBM Corporation.
 * Portions created by IBM Corporation are Copyright (C) 2003
 * IBM Corporation. All Rights Reserved.
 *
 * Contributor(s):
 *   Darin Fisher <darin@meer.net>
 *
 * Alternatively, the contents of this file may be used under the terms of
 * either the GNU General Public License Version 2 or later (the "GPL"), or
 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
 * in which case the provisions of the GPL or the LGPL are applicable instead
 * of those above. If you wish to allow use of your version of this file only
 * under the terms of either the GPL or the LGPL, and not to allow others to
 * use your version of this file under the terms of the MPL, indicate your
 * decision by deleting the provisions above and replace them with the notice
 * and other provisions required by the GPL or the LGPL. If you do not delete
 * the provisions above, a recipient may use your version of this file under
 * the terms of any one of the MPL, the GPL or the LGPL.
 *
 * ***** END LICENSE BLOCK ***** */

/*
 * "clean room" MD4 implementation (see RFC 1320)
 */

#include "net/http/md4.h"

#include <string.h>

typedef uint32_t Uint32;
typedef uint8_t Uint8;

/* the "conditional" function */
#define F(x, y, z) (((x) & (y)) | (~(x) & (z)))

/* the "majority" function */
#define G(x, y, z) (((x) & (y)) | ((x) & (z)) | ((y) & (z)))

/* the "parity" function */
#define H(x, y, z) ((x) ^ (y) ^ (z))

/* rotate n-bits to the left */
#define ROTL(x, n) (((x) << (n)) | ((x) >> (0x20 - n)))

/* round 1: [abcd k s]: a = (a + F(b,c,d) + X[k]) <<< s */
#define RD1(a, b, c, d, k, s) \
    a += F(b, c, d) + X[k];   \
    a = ROTL(a, s)

/* round 2: [abcd k s]: a = (a + G(b,c,d) + X[k] + MAGIC) <<< s */
#define RD2(a, b, c, d, k, s)            \
    a += G(b, c, d) + X[k] + 0x5A827999; \
    a = ROTL(a, s)

/* round 3: [abcd k s]: a = (a + H(b,c,d) + X[k] + MAGIC) <<< s */
#define RD3(a, b, c, d, k, s)            \
    a += H(b, c, d) + X[k] + 0x6ED9EBA1; \
    a = ROTL(a, s)

/* converts from word array to byte array, len is number of bytes */
static void w2b(Uint8* out, const Uint32* in, Uint32 len)
{
    Uint8* bp;
    const Uint32 *wp, *wpend;

    bp = out;
    wp = in;
    wpend = wp + (len >> 2);

    for (; wp != wpend; ++wp, bp += 4) {
        bp[0] = (Uint8)((*wp) & 0xFF);
        bp[1] = (Uint8)((*wp >> 8) & 0xFF);
        bp[2] = (Uint8)((*wp >> 16) & 0xFF);
        bp[3] = (Uint8)((*wp >> 24) & 0xFF);
    }
}

/* converts from byte array to word array, len is number of bytes */
static void b2w(Uint32* out, const Uint8* in, Uint32 len)
{
    Uint32* wp;
    const Uint8 *bp, *bpend;

    wp = out;
    bp = in;
    bpend = in + len;

    for (; bp != bpend; bp += 4, ++wp) {
        *wp = (Uint32)(bp[0]) | (Uint32)(bp[1] << 8) | (Uint32)(bp[2] << 16) | (Uint32)(bp[3] << 24);
    }
}

/* update state: data is 64 bytes in length */
static void md4step(Uint32 state[4], const Uint8* data)
{
    Uint32 A, B, C, D, X[16];

    b2w(X, data, 64);

    A = state[0];
    B = state[1];
    C = state[2];
    D = state[3];

    RD1(A, B, C, D, 0, 3);
    RD1(D, A, B, C, 1, 7);
    RD1(C, D, A, B, 2, 11);
    RD1(B, C, D, A, 3, 19);
    RD1(A, B, C, D, 4, 3);
    RD1(D, A, B, C, 5, 7);
    RD1(C, D, A, B, 6, 11);
    RD1(B, C, D, A, 7, 19);
    RD1(A, B, C, D, 8, 3);
    RD1(D, A, B, C, 9, 7);
    RD1(C, D, A, B, 10, 11);
    RD1(B, C, D, A, 11, 19);
    RD1(A, B, C, D, 12, 3);
    RD1(D, A, B, C, 13, 7);
    RD1(C, D, A, B, 14, 11);
    RD1(B, C, D, A, 15, 19);

    RD2(A, B, C, D, 0, 3);
    RD2(D, A, B, C, 4, 5);
    RD2(C, D, A, B, 8, 9);
    RD2(B, C, D, A, 12, 13);
    RD2(A, B, C, D, 1, 3);
    RD2(D, A, B, C, 5, 5);
    RD2(C, D, A, B, 9, 9);
    RD2(B, C, D, A, 13, 13);
    RD2(A, B, C, D, 2, 3);
    RD2(D, A, B, C, 6, 5);
    RD2(C, D, A, B, 10, 9);
    RD2(B, C, D, A, 14, 13);
    RD2(A, B, C, D, 3, 3);
    RD2(D, A, B, C, 7, 5);
    RD2(C, D, A, B, 11, 9);
    RD2(B, C, D, A, 15, 13);

    RD3(A, B, C, D, 0, 3);
    RD3(D, A, B, C, 8, 9);
    RD3(C, D, A, B, 4, 11);
    RD3(B, C, D, A, 12, 15);
    RD3(A, B, C, D, 2, 3);
    RD3(D, A, B, C, 10, 9);
    RD3(C, D, A, B, 6, 11);
    RD3(B, C, D, A, 14, 15);
    RD3(A, B, C, D, 1, 3);
    RD3(D, A, B, C, 9, 9);
    RD3(C, D, A, B, 5, 11);
    RD3(B, C, D, A, 13, 15);
    RD3(A, B, C, D, 3, 3);
    RD3(D, A, B, C, 11, 9);
    RD3(C, D, A, B, 7, 11);
    RD3(B, C, D, A, 15, 15);

    state[0] += A;
    state[1] += B;
    state[2] += C;
    state[3] += D;
}

namespace net {
namespace weak_crypto {

    void MD4Sum(const Uint8* input, Uint32 inputLen, Uint8* result)
    {
        Uint8 final[128];
        Uint32 i, n, m, state[4];

        /* magic initial states */
        state[0] = 0x67452301;
        state[1] = 0xEFCDAB89;
        state[2] = 0x98BADCFE;
        state[3] = 0x10325476;

        /* compute number of complete 64-byte segments contained in input */
        m = inputLen >> 6;

        /* digest first m segments */
        for (i = 0; i < m; ++i)
            md4step(state, (input + (i << 6)));

        /* build final buffer */
        n = inputLen % 64;
        memcpy(final, input + (m << 6), n);
        final[n] = 0x80;
        memset(final + n + 1, 0, 120 - (n + 1));

        inputLen = inputLen << 3;
        w2b(final + (n >= 56 ? 120 : 56), &inputLen, 4);

        md4step(state, final);
        if (n >= 56)
            md4step(state, final + 64);

        /* copy state to result */
        w2b(result, state, 16);
    }

} // namespace net::weak_crypto
} // namespace net
